Solved: Phantom App for Splunk: Error loading Phantom Serv...

test_qweqwe · ‎07-09-2018

Hi.
I don't understand how to fix it.

App: Phantom -> Phantom Server Configuration:
Error loading Phantom Server Configurations: You must have phantom_read, phantom_write and admin_all_objects permissions.

test_qweqwe · ‎07-09-2018

@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:

Settings > Access controls > Roles > Admin > Capabilities

And move phantom_read, phantom_write from Available capabilities to Selected capabilities

If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom

 [verify_certs]
 value = true (change to false)

View solution in original post

bob_miron · ‎07-28-2018

Hi,

Thanks for documenting this, I was miles away and looking at the Capabilities on the Phantom side rather than Splunk's.

If I can participate, note that you can enable HTTPS with these steps:
from your browser (or any other method you like), export the certificate of the phantom. machine as X.509 Certificate (PEM).
For instance, with Firefox: Click the padlock icon on the left of the URL > Click the arrow next to the IP address (if you're using the IP as I am) > More information (at the bottom) > Security tab > View Certificate > in the next open that opens > Details > Export

Copy this to your Splunk ,machine in $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem

Now return to Splunk's Web UI and save your "Phantom Server Configuration" again. This should be accepted. No restart required.

vasdell · ‎01-25-2019

One other thing that tripped me up: add your Splunk server IPs to the Allowed IPs list of the Phantom user you copied the token from.

test_qweqwe · ‎07-09-2018

@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:

Settings > Access controls > Roles > Admin > Capabilities

And move phantom_read, phantom_write from Available capabilities to Selected capabilities

If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom

 [verify_certs]
 value = true (change to false)

DEAD_BEEF · ‎06-01-2019

for clarity, the path is:

%splunk_home%/etc/apps/phantom/local/phantom.conf

oadiaobong · ‎03-22-2019

i don have local folder all i see is default and i made the change there and i still get the error "AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/phantom/configs/conf-phantom?count=-1&output_mode=json"

can anyone help

sebeling3 · ‎07-09-2018

I'm seeing the same thing. I am new to Splunk and Phantom and wanted to setup a POC using the free versions. I've installed both Splunk (win 2016) and Phantom on Centos 7.4 on Azure on the same subnet.

Connectivity seems to be fine from both servers.

I am simply trying to setup via the Splunk Enterprise "app" under this screen by following the directions on the Phantom Configuration Page.

Phantom App for Splunk: Error loading Phantom Server Configurations & Error HTTP certification verification?

troubleshooting

using Phantom

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!